jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add improvements from proofreading by Lisa and Benny

Browse source
This commit is contained in:
jaseg 2025-11-21 18:15:39 +01:00
parent 210d82e57d
commit 63acc46714
5 changed files with 335 additions and 184 deletions
Download patch file Download diff file Expand all files Collapse all files

11
abstract.tex
View file

@ -31,8 +31,9 @@ requires trusted relay stations due to fundamental physical limitations. In the
high-security QKD relays by securing the IHSM mesh passthrough with a secondary tamper-sensing mesh. In this setup, a
bracket design is proposed that supports passing through optical fibers at low loss.
The second proposed use case adapts an IHSM enclosure to the size, power and thermal dissiptation requirements of a
high-power server to support co-located secure Multiparty Computation (MPC) workloads. MPC in practice is limited by
network bandwidth and latency constraints that cannot be avoided without physically secure nodes. Conventional HSMs
cannot serve MPC workloads since their cryptographic performance is too low by many orders of magnitude. An IHSM-secured
MPC node circumvents these limitations, unlocking a new performance spectrum.
The second proposed use case adapts an IHSM enclosure to the size, power and thermal dissipation requirements of a
high-power server to support co-located secure Multiparty Computation (MPC) workloads. In practical MPC deployments,
nodes are distributed across data centers to avoid a single point of failure for physical attacks. As a result,
practical MPC deployments are limited by network bandwidth and latency constraints. Using IHSMs, physically secured MPC
nodes can be deployed within the same data center, increasing bandwidth, reducing latency and unlocking a new
performance spectrum.

105
chapter-epa/chapter.tex
View file

@ -13,27 +13,34 @@
2025.}
Looking at the landscape of computer security solutions, we are presented with a wide variety of vendors and products
that may give the impression that hardware security is a solved problem. Vendors sell various claims rangning from
\emph{You don't need hardware security, just do it in the cloud!} to \emph{Buy our HSM and you will be secure!}. In
\emph{You don't need hardware security, just do it in the cloud!}~\cite{
utimacoWhatCloudHSM2025,
microsoftOverviewAzureCloud,
ibmCloudHSM2016,
amazonAWSCloudHSM,
googleCloudHSMCloud2025,
WhatCloudHSM}
to \emph{Buy our HSM and you will be secure!}~\cite{utimacoUseCases,thalesLunaNetworkHardware}. In
practice, things are not as easy and even well-intentioned projects still often go awry on the hardware security
dimension. To motivate our research into physical security in this thesis, in this chapter we will have a look at one
such project that was done by capable people with the best intentions, yet it resulted in a hardware security design
that is dangerously inadequate for the purpose.
Beginning May 2025, after several delays, Germany has started the nation-scale rollout of its new electronic medical
record system. The system aims to create a national database accessible to all healthcare providers that holds the
complete electronic medical records of all publically insured people living in Germany. The system aims to replace
paper-based workflows that are error-prone and lead to healthcare providers often only having access to a subset of
patient's medical records. Data in scope for the system includes medical letters, laboratory results, and medical
imaging files.
record system, named ePA (short for \emph{elektronische Patientenakte}, ``electronic patient record''). The system aims
to create a national database accessible to all healthcare providers that holds the complete electronic medical records
of all publically insured people living in Germany. The system aims to replace paper-based workflows that are
error-prone and lead to healthcare providers often only having access to a subset of patient's medical records. Data in
scope for the system includes medical letters, laboratory results, and medical imaging files.
Due to Germany's mandatory health insurance laws, the system's user base encompasses the majority of all German
residents. People who have replaced their public health insurance with private insurance as of now are not subject to
the system. In Germany, by law private health insurance is only available to people from the top 10th percentile of
household income. This means that the system disproportionally affects people who have low income, creating an equity
issue. While it is possible to opt out from the use of the system, the process of opting out is difficult. Additionally,
the government and health insurance providers have publically depicted the system in a one-sidedly positive way, meaning
that it is unlikely the majority of people subject to the system have a comprehensive understanding of the system's
benefits and risks that would be necessary for an informed decision.
issue. While it is possible to opt out from the use of the new digital record, the process of opting out is difficult.
Additionally, the government and health insurance providers have publically depicted the system in a one-sidedly
positive way, meaning that it is unlikely the majority of people subject to the system have a comprehensive
understanding of the system's benefits and risks that would be necessary for an informed decision.
While there has been loud criticism of the system's security from civil society organizations such as digital rights
nonprofit organization Chaos Computer Club (CCC) \cite{kochMoreMoreExperts2025} and several severe security flaws have
@ -41,11 +48,11 @@ been demonstrated practically, this criticism has largely been ignored by the po
that despite this civil society outrage and the system's large scale, it has received little attention from the academic
cryptography and information security community.
In this chapter, we aim to point out some perplexing cryptographic engineering decisions in the system. In particular,
we point out that the system's core per-user secrets are kept in a rudimentary key escrow system whose security is based
on engineering assumptions, not on cryptographic principles. Furthermore, we observe that by specification, the
individual user keys of the system are derived from a per-user cleartext salt based on a system-wide long-term secret
with only 256 bits of entropy\footnote{
In this chapter, we aim to point out some unconventional cryptographic engineering decisions in the system. In
particular, we point out that the system's core per-user secrets are kept in a rudimentary key escrow system whose
security is based on engineering assumptions, not on cryptographic principles. Furthermore, we observe that by
specification, the individual user keys of the system are derived from a per-user cleartext salt based on a system-wide
long-term secret with only 256 bits of entropy\footnote{
In previous versions of the standard \cite{
gematikSpezifikationSchluesselgenerierungsdienstEPA2023,
gematikUebergreifendeSpezifikationVerwendung2025,
@ -63,7 +70,7 @@ We base our analysis of the ePA on the system's publicly available standards in
of the paper underlying this chapter in April 2025, describing version 3.0 of the healthcare record system \cite{
gematikSpezifikationAktensystemEPA2025,
gematikUbergreifendeSpezifikationVerwendung2024,
}. We note that the implementation might well deviate from these standards and be more secure--however, with the
}. We note that the implementation might well deviate from these standards and be more secure---however, with the
system's history of flaws, we believe this is unlikely to be the case. The reference implementation provided by the
specification authority \cite{GithubRepositoryERPFD} follows the specified minimum requirements closely. As of now,
there is no meaningful way for either the public or for researchers such as us to ascertain the concrete implementation
@ -71,48 +78,48 @@ security of the system.
\section{The Design of ePA}
ePA (short for \emph{elektronische Patientenakte}, ``electronic patient record''), is embedded into Germany's national
public healthcare backend system ``Telematikinfrastruktur'' (TI). TI is a highly complex system, and a detailed
description would exceed the limits of this analysis. Briefly put, TI consists of a shared DMZ that parties like
insurance providers and healthcare providers connect to through a VPN. At the client location, usually an individual
doctor's office or a hospital, this VPN connection is terminated by a specialized VPN appliance named ``Konnektor'' that
simultaneously acts as a trusted component inside the client network hosting some software for purposes such as
authentication. The Konnektor contains several smart cards that store keys used for authentication. Konnektor devices
are offered by several vendors and healthcare providers like doctor's offices are indivudally responsible for purchasing
and maintaining a Konnektor.
ePA is embedded into Germany's national public healthcare backend system ``Telematikinfrastruktur'' (TI). TI is a highly
complex system, and a detailed description would exceed the limits of this analysis. Briefly put, TI consists of a
shared demilitarized zone (DMZ) that parties like insurance providers and healthcare providers connect to through a VPN.
At the client location, usually an individual doctor's office or a hospital, this VPN connection is terminated by a
specialized VPN appliance named ``Konnektor'' that simultaneously acts as a trusted component inside the client network
hosting some software for purposes such as authentication. The Konnektor contains several smart cards that store keys
used for authentication. Konnektor devices are offered by several vendors and healthcare providers like doctor's offices
are indivudally responsible for purchasing and maintaining a Konnektor.
% FIXME: Is there a threat/trust model of the system that you could summarise in a few sentences?
Every person enrolled in the system as well as every healthcare professional providing services under it is issued an ID
card that contains a smart card that contains keys used to authenticate towards the central infrastructure. The primary
use of these smart cards up to now is that when someone visits a healthcare provider, they will insert their ID card
into a terminal so the healthcare provider can automatically fetch their personal information such as name, birth date,
card that contains a smart card with keys to authenticate towards the central infrastructure. The primary use of these
smart cards up to now is that when an enrolled person visits a healthcare provider, they will insert their ID card into
a terminal so the healthcare provider can automatically fetch their personal information such as name, birth date,
address and enrollment status from their insurance provider.
ePA is implemented inside the TI system. Its centralized services are accessed by healthcare providers through the TI's
VPN. Patient records are encrypted and decrypted inside TI's backend systems. Smart cards authenticate parties and
hardware devices to each other. Each insurance provider picks one of several implementations of ePA's server-side
infrastructure to run for its clients. Currently, there are two approved implementations of this server-side
infrastructure.
VPN, and by patients through proxy servers connected to TI's VPN. Patient records are encrypted and decrypted inside
TI's backend systems. Smart cards authenticate parties and hardware devices to each other. Each insurance provider picks
one of several implementations of ePA's server-side infrastructure to run for its clients. Currently, there are two
approved implementations of this server-side infrastructure.
With the current version of the specificatoin, the overall architecture of ePA heavily relies on Trusted Execution
Environments (TEEs). Data processing on the server side is done in plaintext inside TEEs, with some cryptographic key
management delegated to a Hardware Security Module. While attacks on the TEEs are considered in the system, the HSMs are
assumed to be perfectly secure, and the system does not include mitigations for a compromised HSM. The primary
motivation for plaintext processing seems to be to enable large-scale data analysis for research purposes without
requiring consent or cooperation of the people whose records are being processed.
requiring consent or cooperation of the people whose records are being
processed~\cite{gematikWhitepaperDatenschutzUnd2025}.
The primary services offered by the server side are authentication services, key escrow, and a database storing the
encrypted records themselves. Records are symmetrically encrypted with keys that are derived from system-wide secrets
inside an HSM. The primary motivation behind the use of a key escrow service seems to be to enable the creation of a
duplicate patient ID smartcard in case a person looses theirs. While the current version of the standard is unclear on
the exact mechanism of key derivation, in previous versions of the standard, the escrow service's root key, a random
salt, and the healthcare ID number of the person owning the record was used in SHA256-HKDF. The specification requires
duplicate user ID smartcard in case an enrolled person looses theirs. While the current version of the standard is
unclear on the exact mechanism of key derivation, in previous versions of the standard, the escrow service's root key, a
random salt, and the healthcare ID number of the enrolled person was used in SHA256-HKDF. The specification requires
that a new root key is generated once a year, but as far as we can tell, record key rollover is not done automatically
but is only meant to be done when the \emph{user} requests it, and old root keys must be retained forever to ensure old
records can be accessed.
\section{Related Work}
\subsection{Related Work}
The state-owned company specifying the system commissioned several security assessments of the system relating to the
key escrow service. \textcite{fischlinKryptographischeAnalyseSpezifikation2021} focuses on the cryptographic
@ -197,18 +204,18 @@ the extraction of any patient records being processed in plaintext inside these
Physical security has received some consideration in the system's specification. First, smart cards are used extensively
for authentication. Second, Hardware Security Modules are used in key locations of the system to process some
cryptographic secrets. The core of the system's key escrow service is implemented inside an HSM. However, it is notable
that the actual security level required for this HSM is only FIPS 140-2 level
3 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}. Not only has FIPS 140-2
been superseded by FIPS 140-3 since
2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security level 3
mostly provides logical separation of cryptographic functions from other logic and is not very meaningful in the context
of physical attacks. The only physical requirement of FIPS 140-2 level 3 is that the HSM has a hard, opaque coating.
This coating is specified to be tamper-evident, but notably no active tamper detection or response features are required
by this standard. In contrast to the newer FIPS 140-3 standard and the related ISO/IEC 19790 \cite{ISOIEC19790} as well
as ISO/IEC 24759 \cite{ISOIEC24759} standards, FIPS 140-2 does not make any particular requirements regarding resistance
to side-channel attacks. The lack of tamper response, unspecified resistance to side-channel attacks and the fact that
the ePA specification only requires the long-lived key escrow root key inside the HSM to have 256 bits of entropy lead
to an unsatisfactory overall constellation.
that the actual security level required for this HSM is only FIPS 140-2 level 3
\cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2002}. FIPS 140-2 is a US government
standard that used to be popular for the specification of HSMs. However, not only has FIPS 140-2 been superseded by FIPS
140-3 since 2019 \cite{usnationalinstituteofstandardsandtechnologySecurityRequirementsCryptographic2019}, its security
level 3 mostly provides logical separation of cryptographic functions from other logic and is not very meaningful in the
context of physical attacks. The only physical requirement of FIPS 140-2 level 3 is that the HSM has a hard, opaque
coating. This coating is specified to be tamper-evident, but notably no active tamper detection or response features are
required by this standard~\cite{andersonSecurityEngineeringGuide2020}. In contrast to the newer FIPS 140-3 standard and
the related ISO/IEC 19790 \cite{ISOIEC19790} as well as ISO/IEC 24759 \cite{ISOIEC24759} standards, FIPS 140-2 does not
make any particular requirements regarding resistance to side-channel attacks. The lack of tamper response, unspecified
resistance to side-channel attacks and the fact that the ePA specification only requires the long-lived key escrow root
key inside the HSM to have 256 bits of entropy lead to an unsatisfactory overall constellation.
\section{Conclusion}

60
chapter-hsms/chapter.tex
View file

@ -202,8 +202,9 @@ of the system is powered off. In practice, the main challenge with continuous mo
the design of the monitoring circuit. A large portion of industry attention has been spent on designing low-power
monitoring circuits that are sensitive to tampering with the mesh while using little enough power to enable years of
operation from a battery. Commonly, one or two cylindrical or large coin cell Lithium primary batteries are used,
providing in the order of \qtyrange{10}{20}{\watt\hour} over their lifetime. Broken down to an unpowered storage life of
e.g.\ 5 years, this corresponds to a maximum average power consumption of \qty{450}{\micro\watt}.
providing in the order of \qty{10}{\watt\hour} over their lifetime\cite{horowitzArtElectronics2024}. Broken down to an
unpowered storage life of e.g.\ 5 years, this corresponds to a maximum average power consumption of less than
\qty{230}{\micro\watt}.
% relevant categories: (H01L23/576), (G06K19/07372)
% keyword: wire covering
@ -391,20 +392,20 @@ ATMs are built in a modular construction approach. Physically, the enclosure of
barrier. Besides the enclosure, there are two security barriers worthy of note. First, the bank notes in the machine are
stored in an automatic cash dispenser that is built into a traditional vault inside the machine. This vault primarily
acts as a mechanical barrier to discourage theft, but it also often includes tamper sensors that activate an Intelligent
Banknote Neutralisation System (IBNS). The IBNS is designed to spread hard-to-remove ink over the bank notes inside the
vault when tampered. The permanently stained bank notes are not accepted by banks or retailers anymore.
% FIXME cite https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
% archive: https://web.archive.org/web/20250822134238/https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf
% FIXME cite https://www.ecb.europa.eu/euro/banknotes/damaged/html/index.en.html
% FIXME cite https://www.bcl.lu/en/Banknotes-and-Coins/remboursement/billets-macules1/index.html
Banknote Neutralisation System (IBNS)~\cite{
banquecentraleduluxembourgInkstainedBanknotes,
europeancentralbankDamagedInkstainedBanknotes2023,
oberthurcashprotectionIntroductionCashProtection2019}.
The IBNS is designed to spread hard-to-remove ink over the bank notes inside the vault when tampered. The permanently
stained bank notes are not accepted by banks or retailers anymore.
Besides the vault, the another security barrier is located inside the ATM's pin pad. While all communication with the
customer's card passes through an end-to-end encrypted channel from the bank's backends into the card's smartcard IC,
the customer must necessarily enter their pin in plain text. To prevent leakage of the plaintext PIN, the PIN is
encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the encryption. Often,
both the circuit board containing the PIN pad's keyboard matrix and this microcontroller are shielded by a tamper
sensing mesh to prevent physical attacks such as the installation of a skimming device that would record and transmit
the plaintex PIN.
encrypted inside the PIN pad itself. To this end, the PIN pad contains a microcontroller handling the
encryption~\cite{andersonSecurityEngineeringGuide2020}. Often, both the circuit board containing the PIN pad's keyboard
matrix and this microcontroller are shielded by a tamper sensing mesh to prevent physical attacks such as the
installation of a skimming device that would record and transmit the plaintex PIN.
We acquired three different EPPs for analysis: Two designed by Sagem and apparently re-sold as a whitelabel product by
Cryptera and Diebold, respectively, and one made by and branded NCR. All three devices have robust stainless steel front
@ -427,13 +428,14 @@ sealed sheet metal enclosure.
\subsection{Methodology}
We proceeded by first photographing every test specimen from multiple angles, then disassembling them. After
disassembly, we photographed each major component. Figure~\ref{fig_hsm_survey_sample_internal_pics} shows a selection of
these photos showing the major internal components of the devices. After photos were taken, we proceeded with
destructive techniques where necessary to understand the devices' use of tamper-sensing meshes. We took microscope
photos where we found interesting small structures. PCBs were sectioned using a sanding drum attachment on a Dremel
rotary tool. Potted modules were disassembled using milling, cutting and prying, and applying heat from a heat gun as
necessary to soften polymer compounds and to break glue joints.
In this survey, we aim to create a comprehensive taxonomy of tamper sensing mesh construction methods across a range of
devices. To this purpose, we proceeded by first photographing every test specimen from multiple angles, then
disassembling them. After disassembly, we photographed each major component.
Figure~\ref{fig_hsm_survey_sample_internal_pics} shows a selection of these photos showing the major internal components
of the devices. After photos were taken, we proceeded with destructive techniques where necessary to understand the
devices' use of tamper-sensing meshes. We took microscope photos where we found interesting small structures. PCBs were
sectioned using a sanding drum attachment on a Dremel rotary tool. Potted modules were disassembled using milling,
cutting and prying, and applying heat from a heat gun as necessary to soften polymer compounds and to break glue joints.
\begin{figure}
\begin{tabular}[c]{cccc}
@ -1267,19 +1269,6 @@ imaging can be actively detected to trigger a tamper alarm. During CT imaging, a
images are taken. X-ray radiation can be reliably detected using off-the-shelf sensors that usually consist of a
large-area photodiode coupled to a scintillator crystal converting X-ray photons to visible light.
\subsection{Application of Inertial HSM technology}
The widespread use of inexpensive but low-security commodity processes shows that in practical applications, cost is
often prioritized over security. The IHSM approach complements such a system that uses a low-security mesh material and
increases its security without needing a more advanced mesh material. Construction techniques that improve the security
of conventional systems such as the use of multiple, spaced layers and low-contrast trace materials can be directly
applied to IHSM systems. The three-dimensional layout of a mesh becomes easier in an IHSM implementation since features
like corners between mesh panels or gaps between mesh layers in most layouts are protected by the mesh's motion. An
unintended advantage that results in IHSM implementations over conventional meshes is that they would provide a level of
intrinsic resistance to X-ray and CT imaging. In contrast to optical cameras in the visible spectrum, X-ray image
sensors need integration times in the hundreds of milliseconds or longer, which makes them unsuitable to image a quickly
moving target.
\section{Conclusion}
In this survey, we have analyzed a wide variety in tamper sensing mesh construction techniques. Meshes are commonly
@ -1316,5 +1305,10 @@ the security of devices seen in the wild should be achievable to most engineers.
We find that the IHSM approach is a natural extension of the state of the art that we saw reflected in tamper sensing
mesh implementations in the field, and that the construction techniques that have been applied to improve their security
can be carried over to IHSM implementations.
can be carried over to IHSM implementations. The three-dimensional layout of a mesh becomes easier in an IHSM
implementation since features like corners between mesh panels or gaps between mesh layers in most layouts are protected
by the mesh's motion. An unintended advantage that results in IHSM implementations over conventional meshes is that they
would provide a level of intrinsic resistance to X-ray and CT imaging. In contrast to optical cameras in the visible
spectrum, X-ray image sensors need integration times in the hundreds of milliseconds or longer, which makes them
unsuitable to image a quickly moving target.

219
chapter-introduction/chapter.tex
View file

@ -10,10 +10,10 @@
All Cops Are Bastards, or ACAB is a slogan popular in far left and anarchist circles since the mid-twentieth century
that expresses a rejection of state authority~\cite{constantinouAppliedResearchPolicing2021}. While politically, this
blanket rejection is a fringe viewpoint with no mainstream acceptance, there exists an interesting parallel between this
and modern cryptographic best practice. In modern cryptography, it is generally seen as best practice to have the least
amount of keys possible involved in any computation. and cryptographers have time and time again strongly rejected
attempts by states and other authorities to insert backdoor access mechanisms into cryptographic systems~\cite{
blanket rejection is a fringe viewpoint with no mainstream acceptance, there exists a parallel between this and modern
cryptographic best practice. In modern cryptography, it is generally seen as best practice to have the least amount of
keys possible involved in any computation. and cryptographers have time and time again strongly rejected attempts by
states and other authorities to insert backdoor access mechanisms into cryptographic systems~\cite{
abelsonRisksKeyRecovery1997,
abelsonKeysDoormats2015,
andersonSecurityEngineeringGuide2020,
@ -25,10 +25,9 @@ While at a glance it might sound like a fringe position held by people from the
hughesCypherpunksManifesto,
jarvisCryptoWarsFight2020,
marlinspikeWeShouldAll2013},
it enjoys support far beyond those circles and throughout mainstream academic cryptography. The aversion of
cryptographers against backdoor access shows up everywhere. From cryptographic protocol standards like TLS, to
cryptographic applications like the Signal messenger, backdoor access is not only excluded from the system design, its
possibility is considered a potential vulnerability.
it enjoys support far beyond those circles and throughout mainstream academic cryptography. From cryptographic protocol
standards like TLS, to cryptographic applications like the Signal messenger, backdoor access is not only excluded from
the system design, its possibility is considered a vulnerability.
% Measures such as forward secrecy and post-compromise security are taken to mitigate its impact. In computing, this
% design aspect makes cryptographic protocols a unique holdout. In other parts of the stack, explicit or implicit
% backdoor access is commonplace, and attempts at preventing it are rare. For instance, network providers are generally
@ -37,44 +36,12 @@ possibility is considered a potential vulnerability.
% protocols generally hold, and the gold standard for backdoor access to modern systems is either exploiting a
% \emph{zero-day} flaw that is not yet publically known, or acquiring physical access to the target system.
\section{Research Questions}
In this thesis, we wish to extend the level of protection afforded by cryptographic protocol design down the technology
In this thesis, we aim to extend the level of protection afforded by cryptographic protocol design down the technology
stack. While cryptographic protocols and modern software from the operating system up make it possible to secure the
software side of the stack to a high level, the hardware side remains poorly protected. There are a variety of hardware
security solutions in the wild, but the majority of them either do not target protection against local, physical attacks
-- such as Trusted Platform Modules (TPMs) -- or are not widely available due to market segmentation or cost -- such as
conventional Hardware Security Modules (HSMs).
We approach this task by solving three research questions that progress from theory to practical deployment.
\begin{enumerate}
\item Can we achieve physical security without relying on conventional tamper-sensing meshes?
\item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar
measurement?
\item Can we create the components necessary for a system that provides a useful security guarantee in practice?
\end{enumerate}
To solve our first research question, we propose the Inertial Hardware Security Module (IHSM), a new type of HSM that
extends the high level of protection offered by the modern cryptographic software stack down to the hardware level,
enabling secure computation in insecure places.
To solve our second question, we propose improvements to the state of the art in HSM tamper sensors such as the use of
low-cost, embeddable Time-Domain Reflectometry (TDR) that not only improve the security of IHSMs, but that can even be
applied to conventional HSMs.
Finally, we solve our last research question by showing in two case studies how an end-to-end design of an IHSM-secured
data processing system could look like. Both case studies concern scenarios that IHSMs unlock that were previously
infeasible using conventional HSMs: Datacenter-scale Secure Multiparty Computation (SMPC) and long-range Quantum Key
Distribution (QKD) networks. As part of this effort we provide a solution adapting and improving upon the state of the
art in wireless power transfer to supply a rotating inertial HSM with a clean, stable power supply.
We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs
can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure
computation in insecure places even to small organizations such as university research departments, NGOs and small
businesses.
\section{Cryptographic Principles and Physical Reality}
security solutions used in practice, but the majority of them either do not target protection against local, physical
attacks -- such as Trusted Platform Modules (TPMs) -- or are not widely available due to market segmentation or cost --
such as conventional Hardware Security Modules (HSMs).
While anarchists, Cypherpunks and Hackers often reject backdoor access out of political conviction alone,
Cryptographers' aversion to backdoor access derives from a combination of two fundamental computing principles:
@ -85,70 +52,128 @@ Kerckhoffs' principle, and the principle of least authority. Kerckhoffs' princip
}, named after Dutch military cryptographer Auguste Kerckhoffs, expresses that the security of a cryptographic system
should only depend on the secrecy of its keys, not on the secrecy of its design. In this way, Kerckhoff's principle
states the opposite of the widespread industry practice of \emph{Security by Obscurity}, which aims to achieve security
by making it sufficiently annoying to cryptoanalyze a system that nobody bothers. Complementary to Kerckhoff's principle
is the principle of least authority, which describes that in a secure system each component should only have access to
the smallest set of capabilities necessary to fulfill its purpose. Applying both to a cryptographic system means that
the system's design should be transparent and not include any hidden components or opaque parts that cannot be
inspected, and that the system's keys should be scoped to place the least amount of trust possible in each participating
party.
by making it sufficiently costly to cryptoanalyze a system that the attempt becomes unattractive. The reliance of
contemporary hardware security measures such as the majority of Physically Unclonable Functions (PUFs) on chip-scale
integration as their main barrier against manipulation is an instance where Kerckhoffs' principle is violated.
Let's take a basic videoconferencing system as an example. In our example system's deployment, users log on to a central
conference server, which receives and distributes the users' video streams. Allowing backdoor access to the video
streams to some third party like a datacenter operator or a state would violate Kerckhoffs' principle since it would
have to be hidden from the systems' participants, who would therefore not have a complete view of the systems' deployed
architecture. The principle of least authority would also be violated since in almost all cases, such a backdoor access
system would not see legitimate use. As a result, it would possess capabilities that almost never would be essential to
the proper function of the videoconference system.
Complementary to Kerckhoff's principle is the principle of least authority, which describes that in a secure system each
component should only have access to the smallest set of capabilities necessary to fulfill its purpose. Applying both to
a cryptographic system means that the system's design should be transparent and not include any hidden components or
opaque parts that cannot be inspected, and that the system's keys should be scoped to place the least amount of trust
possible in each participating party. Existing HSMs are an example of a violation of the principle of least authority
since they elevate the HSM manufacturer to a single point of failure. Since the tamper sensing mesh foils used in
conventional HSMs are made in proprietary, bespoke processes, they cannot be manufactured independently.
In their design, almost all modern software -- especially open source -- cleanly applies these principles. However, the
practical reality after deployment almost always deviates from them. While backdoors are vanishingly rare in modern
open-source software, practical depoloyments usually are vulnerable to physical attacks. Computer hardware generally is
not designed with a local attacker with advanced physical attack capabilities in mind since no mitigation can fully
prevent them---such attacks usually can only be detected, or at best slowed down. As a result, commonplace attacks
against modern software often involve taking over the hardware at some point in the chain. Even End-to-End-Encrypted
(E2EE) communication systems can be compromised if one of the encrypted channel's endpoints can be physically
compromised. Corresponding \emph{digital forensics} capabilities are commonplace among state actors, and are available
as a turnkey solution on the market.
\section{Research Questions and Contributions}
\section{Inertial HSMs}
Based on the current state of the field of hardware security, we deduce three overarching research questions for this
thesis that progress from theory to practical deployment.
In this thesis, we propose Inertial HSMs to fill this gap in the protection of systems that are not critical enough to
warrant the expensive existing solutions such as conventional HSMs, while still handling highly sensitive data. In a
system with a secure software stack, the role of a HSM is to secure the hardware part of the stack. The basic approach
of a HSM is to combine a secure software stack with a fast self-destruct mechanism and tamper sensors. The self-destruct
mechanism can be hardware or software that quickly and securely destroys all cryptographic secrets, thereby rendering
the device worthless to an attacker. The tamper sensors are tasked with detecting any physical attack an attacker could
mount on the device. Common classes of such sensors include environmental sensors such as temperature or radiation
sensors that detect attempts at causing controllable faults in the HSM by heating, cooling or irradiating it. Building
on the basic protection offered by such sensors, \emph{tamper-sensing meshes} are often employed. These \emph{meshes}
are flexible foils containing circuit traces that are attached to the HSM's enclosure to detect attempts at penetrating
the shell of the device with probes. Tamper-sensing meshes usually are the primary line of defense against most physical
attacks. They are very effective at mitigating a large variety of physical attacks, but they are difficult to construct
securely as they usually require bespoke manufacturing processes. As a result, they are currently only used in niche
applications, and even there not every realization is equally secure.
\begin{enumerate}
\item Can we achieve physical security without relying on conventional tamper-sensing meshes?
\item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar
measurement?
\item Can we create the support components necessary to integrate a system that provides a practical security
guarantee?
\end{enumerate}
Inertial HSMs are a new design approach that utilizes mechanical motion to create secure tamper-sensing meshes from
simple components. IHSMs solve the issue of creating an impenetrable tamper-sensing envelope by replacing the bespoke
% FIXME: quote from anderson: Security economics remains a big soft spot, with security chips being in many
% ways a market for lemons. A banker buying HSMs probably wont be aware of
% the huge gap between FIPS level 3 and level 4, and understand that level 3 can
% sometimes be defeated with a Swiss army knife. The buying incentive there is
% compliance, and where real security clashes with operations its not surprising
% to see weaker standards designed to make compliance easier. API security is
% too hard, and the difference between HSMs internal and external APIs makes
% it too confusing. The near-abdication of FIPS in favour of ISO 19790 and vari-
% ous protection profiles touted under the Common Criteria will confuse things
% further, as will the UKs move away from the Criteria. Confusion marketing
% and liability games appear set to continue. But does this matter?
% First, most of the HSM business is moving to the cloud, with Azure and AWS
% each having of the order of 2,000 HSMs, and Google playing catchup. Instead of
% having a few thousand banks each running a few, or a few dozen, HSMs well
% have three companies running a few thousand. As the prices are driven down,
% the HSM vendor engineers expertise will be lost; and as the cloud service
% providers guard their datacentres, HSMs are likely to be replaced by crypto
% chips.
To answer our first research question, we propose the Inertial Hardware Security Module (IHSM), a new type of HSM that
extends the high level of protection offered by the modern cryptographic software stack down to the hardware level,
enabling secure computation in insecure places.
To answer our second question, we propose improvements to the state of the art in HSM tamper sensors such as the use of
low-cost, embeddable Time-Domain Reflectometry (TDR) that not only improve the security of IHSMs, but that can even be
applied to conventional HSMs.
Finally, we answer our last research question by showing in two case studies how an end-to-end design of an IHSM-secured
data processing system could look like. Both case studies concern scenarios that IHSMs unlock that were previously
infeasible using conventional HSMs: Datacenter-scale Secure Multiparty Computation (SMPC) and long-range Quantum Key
Distribution (QKD) networks. As part of this effort we provide a solution adapting and improving upon the state of the
art in wireless power transfer to supply a rotating inertial HSM with a clean, stable power supply.
We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs
can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure
computation in insecure places even to small organizations such as university research departments, NGOs and small
businesses.
%\section{Cryptographic Principles and Physical Reality}
%Let's take a basic videoconferencing system as an example. In our example system's deployment, users log on to a central
%conference server, which receives and distributes the users' video streams. Allowing backdoor access to the video
%streams to some third party like a datacenter operator or a state would violate Kerckhoffs' principle since it would
%have to be hidden from the systems' participants, who would therefore not have a complete view of the systems' deployed
%architecture. The principle of least authority would also be violated since in almost all cases, such a backdoor access
%system would not see legitimate use. As a result, it would possess capabilities that almost never would be essential to
%the proper function of the videoconference system.
%In their design, almost all modern software -- especially open source -- cleanly applies these principles. However, the
%practical reality after deployment almost always deviates from them. While backdoors are vanishingly rare in modern
%open-source software, practical deployments usually are vulnerable to physical attacks. Computer hardware generally is
%not designed with a local attacker with advanced physical attack capabilities in mind since no mitigation can fully
%prevent them---such attacks usually can only be detected, or at best slowed down. As a result, commonplace attacks
%against modern software often involve taking over the hardware at some point in the chain. Even End-to-End-Encrypted
%(E2EE) communication systems can be compromised if one of the encrypted channel's endpoints can be physically
%compromised. Corresponding \emph{digital forensics} capabilities are commonplace among state actors, and are available
%as a turnkey solution on the market.
\section{Inertial Hardware Security Modules}
In this thesis, we propose Inertial Hardware Security Modules (IHSMs) to fill the gap of protecting systems that handle
highly sensitive data but that cannot use conventional HSMs for cost or performance reasons. In a system with a secure
software stack, the role of a HSM is to secure the hardware part of the stack. The basic approach of a HSM is to combine
a secure software stack with tamper sensors connected to a fast self-destruct mechanism. The tamper sensors are tasked
with detecting any physical attack an attacker could mount on the device. Common classes of such sensors include
environmental sensors such as temperature or radiation sensors that detect attempts at causing controllable faults in
the HSM by heating, cooling or irradiating it. Building on the basic protection offered by such sensors,
\emph{tamper-sensing meshes} are often employed. These \emph{meshes} are flexible foils containing circuit traces that
are attached to the HSM's enclosure to detect attempts at penetrating the shell of the device with probes.
Tamper-sensing meshes usually are the primary line of defense against most physical attacks. They are very effective at
mitigating a large variety of physical attacks, but they are difficult to construct securely as they usually require
bespoke manufacturing processes. As a result, they are currently only used in niche applications, and even there not
every realization is equally secure. The self-destruct mechanism can be hardware or software that quickly and securely
destroys all cryptographic secrets, thereby rendering the device worthless to an attacker.
IHSMs are a new design approach that utilizes mechanical motion to create secure tamper-sensing meshes from simple
components. IHSMs solve the issue of creating an impenetrable tamper-sensing envelope by replacing the bespoke
tamper-sensing mesh foil with a set of simple, rigid meshes made from commodity Printed Circuit Boards (PCBs) that are
rotating at high speed. In motion, these simple PCB tamper-sensing meshes are as secure as the much more sophisticated
bespoke foils used in conventional HSMs, yet they are simpler and less expensive to manufacture. To verify that the mesh
is rotating correctly, an accelerometer is placed on the rotating mesh, and its centrifugal force reading is used to
validate itk path of motion.
validate its path of motion.
IHSMs enable the protection of much larger payloads compared to conventional mesh designs, and they can support larger
power dissipation. This and their low cost enables the implementation of high-level hardware security in applications
that previously would not have been possible to secure.
power dissipation. Combined with their low cost, this enables the implementation of high-level hardware security in
applications that previously would not have been possible to secure.
Inertial HSMs are the first fully open source HSM with advanced tamper sensing features. Across application domains,
Inertial HSMs can be applied to gain resistance to physical attacks in scenarios where conventional HSMs were not used
because of cost, computing power or implementation effort. Where conventional HSMs come as fully integrated devices that
only expose limited APIs to their users, Inertial HSMs at their core are just an enclosure that the user can put
whatever hardware they need into, adapting the tamper response to their application's needs. Since the simpler
tamper-sensing mesh construction of IHSMs scales to larger payload volumes, entire servers can be protected---something
that is impossible with conventional HSMs. Since the mesh in an IHSM is constantly moving, unlike a mesh in a
conventional HSM, it does not have to entirely cover the payload. Instead, it can have gaps that allow for air flow
between outside and inside, enabling active cooling of the IHSM's payload. This cooling capability sharply increases
computing power by increasing feasible payload power dissipation by two orders of magnitude.
IHSMs are the first fully open source HSM with advanced tamper sensing features. Across application domains, IHSMs can
be applied to gain resistance to physical attacks in scenarios where conventional HSMs were not used because of cost,
computing power or implementation effort. Where conventional HSMs come as fully integrated devices that only expose
limited APIs to their users, IHSMs at their core are just an enclosure that the user can put whatever hardware they need
into, adapting the tamper response to their application's needs. Since the simpler tamper-sensing mesh construction of
IHSMs scales to larger payload volumes, entire servers can be protected---something that is impossible with conventional
HSMs. Since the mesh in an IHSM is constantly moving, unlike a mesh in a conventional HSM, it does not have to entirely
cover the payload. Instead, it can have gaps that allow for air flow between outside and inside, enabling active cooling
of the IHSM's payload. This cooling capability sharply increases computing power by increasing feasible payload power
dissipation by two orders of magnitude.
\section{Conclusion}
@ -156,7 +181,7 @@ Looking at the practice of applied hardware security, we observe that despite am
promising easy hardware security, clearly there is still a lack of solutions that provide the adaptability necessary for
some real use cases at low enough cost. By publishing the tamper-sensing technology we developed during the making of
this thesis as open source hardware designs, we aim to provide this missing building block to provide high-level
hardware security in real-world applications. Our hardware designs can be adapted to a devices ranging from Single-Board
hardware security in real-world applications. Our hardware designs can be adapted to devices ranging from Single-Board
Computers (SBCs) to servers, they are compatible with non-computing applications like Quantum Key Distribution (QKD) and
their design approaches can even be integrated into existing HSM designs to provide better security at little additional
cost.

124
main.bib
View file

@ -137,6 +137,16 @@
langid = {english}
}
@online{amazonAWSCloudHSM,
title = {{{AWS CloudHSM}}},
author = {{Amazon}},
url = {https://aws.amazon.com/cloudhsm/},
urldate = {2025-11-21},
abstract = {AWS CloudHSM provides total access management control and protection for your encryption keys with secure and compliant hardware security modules (HSMs).},
langid = {american},
organization = {Amazon Web Services, Inc.}
}
@inproceedings{amhenriorDesignImplementationAutomatic2017,
title = {Design and Implementation of an Automatic Tamper Detection and Reporting Capability for a Single Phase Energy Meter},
booktitle = {2017 {{IEEE}} 3rd {{International Conference}} on {{Electro-Technology}} for {{National Development}} ({{NIGERCON}})},
@ -445,6 +455,13 @@
isbn = {978-1-4503-7590-0}
}
@online{banquecentraleduluxembourgInkstainedBanknotes,
title = {Ink-Stained Banknotes},
author = {{Banque centrale du Luxembourg}},
url = {https://www.bcl.lu/en/Banknotes-and-Coins/remboursement/billets-macules1/index.html},
urldate = {2025-11-21}
}
@book{barakIntensiveIntroductionCryptography,
title = {An Intensive Introduction to Cryptography: {{Computational}} Security},
shorttitle = {An Intensive Introduction to Cryptography},
@ -1912,6 +1929,16 @@
keywords = {Electronic Vote,Encrypt Image,Secret Message,Translation Table,Visual Cryptography}
}
@online{europeancentralbankDamagedInkstainedBanknotes2023,
title = {Damaged and Ink-Stained Banknotes},
author = {{European Central Bank}},
date = {2023-07-10},
url = {https://www.ecb.europa.eu/euro/banknotes/damaged/html/index.en.html},
urldate = {2025-11-21},
abstract = {The European Central Bank (ECB) is the central bank of the European Union countries which have adopted the euro. Our main task is to maintain price stability in the euro area and so preserve the purchasing power of the single currency.},
langid = {english}
}
@article{evansPragmaticIntroductionSecure,
title = {A {{Pragmatic Introduction}} to {{Secure Multi-Party Computation}}},
author = {Evans, David and Kolesnikov, Vladimir and Rosulek, Mike},
@ -2186,6 +2213,15 @@
langid = {ngerman}
}
@misc{gematikWhitepaperDatenschutzUnd2025,
title = {Whitepaper Datenschutz und Informationssicherheit in der Telematikinfrastruktur},
author = {{Gematik}},
date = {2025-07},
url = {https://www.gematik.de/media/gematik/Medien/Newsroom/Publikationen/Informationsmaterialien/gematik_Whitepaper_Datenschutz_web_20250707.pdf},
urldate = {2025-11-21},
langid = {german}
}
@software{GerbonaraToolsHandle,
title = {Gerbonara: {{Tools}} to Handle {{Gerber}} and {{Excellon}} Files in {{Python}}},
shorttitle = {Gerbonara},
@ -2348,6 +2384,17 @@
langid = {english}
}
@online{googleCloudHSMCloud2025,
title = {Cloud {{HSM}} | {{Cloud Key Management Service}}},
author = {{Google}},
date = {2025-11-13},
url = {https://docs.cloud.google.com/kms/docs/hsm},
urldate = {2025-11-21},
abstract = {Allows you to host encryption keys and perform cryptographic operations in a Hardware Security Module (HSM) cluster.},
langid = {english},
organization = {Google Cloud Documentation}
}
@incollection{goosInformationTheoreticallySecure1999,
title = {Information {{Theoretically Secure Communication}} in the {{Limited Storage Space Model}}},
booktitle = {Advances in {{Cryptology}} — {{CRYPTO}} 99},
@ -2827,6 +2874,18 @@
keywords = {Gears,Grippers,Instruments,Joints,Robots,Surgery,Tendons}
}
@book{horowitzArtElectronics2024,
title = {The Art of Electronics},
author = {Horowitz, Paul and Hill, Winfield},
date = {2024},
edition = {Third edition, 21st printing with corrections},
publisher = {Cambridge University Press},
location = {Cambridge, New York},
isbn = {978-0-521-80926-9},
langid = {english},
pagetotal = {1230}
}
@article{houtman1GHzSamplingOscilloscope2000,
title = {1-{{GHz Sampling Oscilloscope Front End}} Is {{Easily Modified}}},
author = {Houtman, Hubert},
@ -2971,6 +3030,16 @@
version = {Version 3.4}
}
@online{ibmCloudHSM2016,
title = {Cloud {{HSM}}},
author = {{IBM}},
date = {2016-05-01},
url = {https://cloud.ibm.com/catalog/infrastructure/cloud.ibm.com/catalog/infrastructure/hardware-security-module},
urldate = {2025-11-21},
abstract = {A hardware security module (HSM) is a dedicated crypto processor designed for the protection of the crypto key life cycle. HSMs act as trust anchors that protect the cryptographic infrastructure of some of the most security-conscious organizations in the world by securely managing, processing, and storing cryptographic keys inside a hardened, tamper-resistant device. Cloud HSM is a FIPS 140-2 Level 3 validated, single-tenant device available around the world where you need it most.},
langid = {american}
}
@online{IEEEXploreFullText,
title = {{{IEEE Xplore Full-Text PDF}}:},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=514853},
@ -4502,6 +4571,15 @@
urldate = {2021-07-08}
}
@online{microsoftOverviewAzureCloud,
title = {Overview of {{Azure Cloud HSM}}},
author = {{Microsoft}},
url = {https://learn.microsoft.com/en-us/azure/cloud-hsm/overview},
urldate = {2025-11-21},
abstract = {Learn how Azure Cloud HSM offers cryptographic key storage within the Azure environment as a dedicated HSM service.},
langid = {american}
}
@online{mikeselectricstuffNeopostPostalFranking2023,
title = {Neopost {{Postal Franking Machines}}},
author = {{mikeselectricstuff}},
@ -5146,6 +5224,15 @@
keywords = {circuit,conductive traces,film,layer,puf}
}
@misc{oberthurcashprotectionIntroductionCashProtection2019,
title = {Introduction to {{Cash Protection}}: {{Intelligent Banknote Neutralization Systems}}},
author = {{Oberthur Cash Protection}},
date = {2019},
url = {https://www.oberthurcp.com/hubfs/Oberthur_December2020/Pdf/IBNS_Introduction_to_ink_staining_Oberthur_Cash_Protection_2019.pdf},
urldate = {2025-11-21},
annotation = {Archived: https://web.archive.org/web/20250822134238/https://www.oberthurcp.com/hubfs/Oberthur\_December2020/Pdf/IBNS\_Introduction\_to\_ink\_staining\_Oberthur\_Cash\_Protection\_2019.pdf}
}
@article{oflynnPhaseModulationSide,
title = {Phase {{Modulation Side Channels}}: {{Jittery JTAG}} for {{On-Chip Voltage Measurements}}},
author = {OFlynn, Colin},
@ -6693,6 +6780,15 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
organization = {Thales}
}
@online{thalesLunaNetworkHardware,
title = {Luna {{Network Hardware Security Modules}}},
author = {{Thales}},
url = {https://cpl.thalesgroup.com/encryption/hardware-security-modules/network-hsms},
urldate = {2025-11-21},
abstract = {Luna Network HSMs is a high-assurance, tamper-resistant, network-attached appliance that's an easy to integrate HSM solution.},
langid = {english}
}
@article{tobisch2020,
title = {Electromagnetic Enclosure {{PUF}} for Tamper Proofing Commodity Hardware and Other Applications},
author = {Tobisch, Johannes and Zenger, Christian and Paar, Christof},
@ -6853,6 +6949,25 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
langid = {english}
}
@online{utimacoUseCases,
title = {Use {{Cases}}},
author = {{Utimaco}},
url = {https://utimaco.com/use-cases},
urldate = {2025-11-21},
langid = {english}
}
@online{utimacoWhatCloudHSM2025,
title = {What Is {{Cloud HSM}}?},
shorttitle = {What Is {{Cloud HSM}}?},
author = {{Utimaco}},
date = {2025-09-10},
url = {https://utimaco.com/service/knowledge-base/hardware-security-modules/what-cloud-hsm},
urldate = {2025-11-21},
abstract = {Cloud HSM is a cloud-hosted Hardware Security Module (HSM) that enables the user to host encryption keys and perform cryptographic operations with the benefits of a cloud service deployment while leveraging the benefits of cloud service deployment and eliminating the need to host and maintain on-premises appliances.},
langid = {english}
}
@misc{Utrust_GP_HSM_Se_Series_Datasheet_ENpdf,
title = {U.Trust {{General Purpose HSM Se-Series Datasheet}}},
date = {2025-04},
@ -7353,6 +7468,15 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
keywords = {detecting circuitry,line,mesh,tamper,track}
}
@online{WhatCloudHSM,
title = {What Is a {{Cloud HSM}}?},
shorttitle = {What Is a {{Cloud HSM}}?},
url = {https://www.entrust.com/resources/learn/what-is-cloud-hsm},
urldate = {2025-11-21},
abstract = {Learn what a cloud hardware security module (HSM) is and how a cloud HSM can deliver the same cryptographic functionalities as on-premises HSMs.},
langid = {english}
}
@article{wheelerTransmissionLinePropertiesParallel1965,
title = {Transmission-{{Line Properties}} of {{Parallel Strips Separated}} by a {{Dielectric Sheet}}},
author = {Wheeler, H.A.},